Russian Hacking and Russian Roulette on the Internet

Federal intelligence agencies recently released a report alleging Russian involvement in the unlawful collection and distribution of sensitive information related to the 2016 presidential election.

Valuable assets are usually carefully protected. Stealing gold from Fort Knox or jewels from Tiffany’s is not an easy task. Those charged with protecting these and other assets take their jobs seriously and take precautions to prevent theft.

Stealing information online, however, from the likes of John Podesta is all too often child’s play. Individuals with valuable Internet information often do not safeguard it. As Secretary of State, Mrs. Clinton recklessly kept her government Internet information on a home server. Other prominent individuals had embarrassing moments when their emails related to the 2016 campaign were publicly released.

Remarkably, no one responsible for the lapses in protecting sensitive and government confidential information has been punished. Nor have those who stole the information. Had Russia agents stolen classified information from a file cabinet in the Pentagon, those responsible would be in prison. Stealing and disseminating online information is an amateur sport with no liability for those responsible for losing information. Our current set of laws and property rights often do not give sufficient incentives for individuals to take sufficient precautions to protect information.

While reasonably protecting information is a responsibility, stealing information is a crime. So too is distributing the stolen information. Yet in our current Internet culture, stealing information such as music and videos is a common crime. When John Podesta’s emails are stolen, many individuals are understandably outraged. When a rock band’s music, valuable computer software, or a pharmaceutical company’s patented process is stolen, the outrage is muted. The sense of violation of property should be no different.

The costless dissemination of stolen information on the Internet is even more damaging than the initial theft. Trafficking of stolen intellectual property on the Internet is common. Groups such as the Trustworthy Accountability Group actively seek to track down and discourage pirate websites that steal intellectual property. We have a long way to stop the dissemination of stolen personal information. The website Wikileaks operates with seeming impunity in disseminating stolen private information.

The theft and unlawful dissemination of online information is different from the theft of physical property. Only one entity can steal a specific bar of gold, and only one entity can possess it. Theft of online information is different. If one entity can steal it, chances are, more than one entity can and has stolen it. In the realm of online theft, teenage hackers and foreign governments are indistinguishable in their deeds and equally guilty. Once online information is stolen, it is often ubiquitously disseminated.

It is refreshingly naïve to hope and to believe that only one entity has stolen information and disseminated the information online. The recent declassified intelligence report appears to blame Russia as the only entity that stole information to influence the 2016 election. The allegations are of course chilling. The report misses a much larger problem.

Many individuals, companies, and nations have the capability of stealing online information. Some of these entities likely engaged in information theft. The less-clever entities may eventually be identified; the cleverer ones likely never will. We are led by the intelligence report to believe not only that Russia was the only entity engaged in stealing information, but it was so stupid as to be caught.

Perhaps worst of all, we as a country now publicize our intelligence conclusions. Since World War II, our government has engaged in cat-and-mouse game of detecting what the Russians can do. Usually we are clever enough to keep our findings to ourselves rather than reveal to the Russians what we know. Why today do we tell them?

It would be naïve to believe that only one entity or one company actually stole information during the 2016 campaign. It would be even more naïve to believe that entity has been identified. A hostile government, for example, that had recovered all of the information from Mrs. Clinton’s server would have more to gain by remaining quiet about its knowledge rather than advertising its success.

Just two years ago, North Korea was accused of infiltrating Sony’s information system, but never admitted it. Nor did North Korea ever pay any cost for such a malevolent exercise. Judging by how no one has admitted to having purloined the Clinton or other election information, our adversaries are either technologically incompetent or more clever than we are. The smart money is on the latter interpretation.

As a nation, we have not developed the cultural abhorrence of information theft or sufficient laws and rules to make cybercrime unprofitable. Individuals such as Mrs. Clinton and Mr. Podesta find no great incentive to protect information, whether required by federal law or not. Countless entities likely steal our online information, and we do little about it. With our current society and laws, cybercrime pays. We need to take the protection of information and the punishment of thieves far more seriously if we want to stop cybercrime.

Our challenge is not so much Russian hacking as our playing Russian roulette in failing to protect online information. With our current set of rules, we are bound to lose.